---
layout: docs
page_title: Manage 3rd-party secrets
description: >-
  Generate and revoke on-demand credentials for database systems and cloud
  providers, and control access to encryption keys and cloud credentials.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# Manage 3rd-party secrets

@include '/why-use-vault/manage-3p-secrets-small.mdx'


## Manage DB credentials

Use available database plugins to manage static and dynamic database credentials
with Vault.

Plugins for static credentials map internal Vault roles 1-to-1 to usernames in a
database. With static roles, Vault stores and automatically rotates passwords
for the associated database user based on a configurable period of time or
rotation schedule.

Plugins for dynamic database credentials generate database credentials on-demand
for clients based on pre-configured roles in Vault. Vault also uses leases to
automatically revoke and rotate credentials over time. Every client accesses the
database with unique credentials so tracing and auditing data access is easier.


<Tabs>
<Tab heading="Guides" group="guides">

- [Database secrets engine overview](/vault/docs/secrets/databases)
- [PostgreSQL plugin overview](/vault/docs/secrets/databases/postgresql)
- [MySQL/MariaDB plugin overview](/vault/docs/secrets/databases/mysql-maria)
- [Use a custom database secret engine](/vault/docs/secrets/databases/custom)

</Tab>
<Tab heading="Tutorials" group="tutorials">

- [Database root credential rotation](/vault/tutorials/db-credentials/database-root-rotation)
- [Dynamic secrets for database credential management](/vault/tutorials/db-credentials/database-secrets)
- [Configure dedicated connections to external database accounts](/vault/tutorials/db-credentials/configure-external-database-connection)

</Tab>
<Tab heading="References" group="reference">

- [Database telemetry metric reference](/vault/docs/internals/telemetry/metrics/database)
- [Database plugin APIs](/vault/api-docs/secret/databases)

</Tab>
</Tabs>


## Manage cloud credentials

Third-party secret engines dynamically generate service principals with the
applicable role and group assignments mapped to internal Vault roles. Vault
then associates each service principle with a lease and automatically rotates
or revokes the service principal when the lease expires.

<Tabs>
<Tab heading="Guides" group="guides">

- [AWS secrets plugin overview](/vault/docs/secrets/aws)
- [Azure secrets plugin overview](/vault/docs/secrets/azure)
- [GCP secrets plugin overview](/vault/docs/secrets/gcp)

</Tab>
<Tab heading="Tutorials" group="tutorials">

- [Synchronize cloud native secrets](/vault/tutorials/enterprise/enable-secrets-sync)
- [Retrieve secrets for AWS applications with Vault Agent](/vault/tutorials/vault-agent/agent-aws)
- [Retrieve secrets with Vault AWS Lambda extension](/vault/tutorials/app-integration/intro-vault-aws-lambda-extension)
- [Generate Azure cloud provider credentials with Vault](/vault/tutorials/secrets-management/azure-secrets)

</Tab>
<Tab heading="References" group="reference">

- [AWS secrets plugin API](/vault/api-docs/secret/aws)
- [Azure secrets plugin API](/vault/api-docs/secret/azure)
- [GCP secrets plugin API](/vault/api-docs/secret/gcp)

</Tab>
</Tabs>


## Manage encryption keys

To work with cloud providers, you often need to use encryption keys issued and
stored by the provider in their own key management system (KMS). You also need
to maintain root of trust both in and out of the cloud for the security
of your applications.

Vault provides centralized management for the distribution and lifecycle of
cloud provider keys while letting you leveraging the cryptographic capabilities
native to your KMS providers.

<Tabs>
<Tab heading="Guides" group="guides">

- [AWS plugin overview](/vault/docs/secrets/key-management/awskms)
- [Azure plugin overview](/vault/docs/secrets/key-management/azurekeyvault)
- [GCP plugin overview](/vault/docs/secrets/key-management/gcpkms)

</Tab>
<Tab heading="Tutorials" group="tutorials">

- [Key Management Secrets Engine with Azure Key Vault](/vault/tutorials/enterprise/key-management-secrets-engine-azure-key-vault)
- [Key Management Secrets Engine with GCP Cloud KMS](/vault/tutorials/enterprise/key-management-secrets-engine-gcp-cloud-kms)

</Tab>
<Tab heading="References" group="reference">

- [Verified external key partners](/vault/docs/partners/external-keys)
- [AWS KMS plugin API](/vault/api-docs/secret/key-management/awskms)
- [Azure KMS plugin API](/vault/api-docs/secret/key-management/azurekeyvault)
- [GCP KMS plugin API](/vault/api-docs/secret/key-management/gcpkms)

</Tab>
</Tabs>

